Systems and methods for secure network function virtualization license management

ABSTRACT

A system for secure management of licensing and distributing virtual network functions (VNF) is provided. The system includes a VNF license manager, a VNF repository, and a VNF license database. The VNF license manager is in communication with the VNF repository and the VNF license database. The VNF license manager is programmed to receive a request for access to a first VNF from a virtual network. The virtual network is configured to execute the first VNF. The VNF license manager is also programmed to determine if the virtual network may access the first VNF based on one or more policies associated with the first VNF. If the virtual network may access the first VNF, the VNF license manager is programmed to retrieve the first VNF from the VNF repository and transmit the first VNF to the virtual network.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/578,013, filed Sep. 20, 2019. U.S. patent application Ser. No.16/578,013 claims the benefit of and priority to U.S. Provisional PatentApplication Ser. No. 62/733,724, filed Sep. 20, 2018. Both disclosuresare incorporated herein by reference in its entirety.

BACKGROUND

The field of the disclosure relates generally to management of licensesfor virtual network functions, and more particularly, to securemanagement of licensing and distributing virtual network functions.

The European Telecommunication Standards Institute (ETSI) has generatedthe Management and Operations (MANO) architecture for Network FunctionVirtualization (NFV). This architecture is designed as a blueprint fordeveloping products and further standards. However, the architecture aspresented requires further architectural development to ensureimplemental development.

One of the issues is the communication between the virtual networkfunction manager (VNFM) and each virtual machine that implementsvirtualized network function component instantiation (VNFCI) as theoriginal architecture. In addition, there are distribution and securityissues with communication with the virtualized infrastructure manager(VIM). These issues include the supply chain of providing licensedvirtualized network functions. Physical network functions are usuallyprovided through a physical box from a single supplier preloaded withthe software. The licenses are bundle with the physical box. And thelong term software license is tied to the hardware lifecycle, when thehardware changes the software may need to be updated as well.Furthermore the software may only be able to work on specific hardware.Accordingly, improvements to the architecture could provide improvementsto the security and efficiency of these systems and allow for theseparation of the software cycle of functionality from the hardwarecycle.

BRIEF SUMMARY

In an embodiment, a system for secure management of licensing anddistributing virtual network functions (VNF) is provided. The systemincludes a VNF license manager, a VNF repository for storing a pluralityof VNFs including a first VNF, and a VNF license database for storing aplurality of polices associated with the plurality of VNFs. The VNFlicense manager is in communication with the VNF repository and the VNFlicense database. The VNF license manager is programmed to receive arequest for access to the first VNF from a virtual network. The virtualnetwork is configured to execute the first VNF. The VNF license manageris also programmed to determine if the virtual network may access thefirst VNF based on one or more policies of the plurality of policiesassociated with the first VNF. If the virtual network may access thefirst VNF, the VNF license manager is programmed to retrieve the firstVNF from the VNF repository and transmit the first VNF to the virtualnetwork.

In an embodiment, a virtual network function (VNF) licensing agent isprovided. The VNF licensing agent is in communication with at least onenetwork function virtualization (NFV) architecture. The VNF licensingagent is programmed to receive from the NFV architecture a request for afirst VNF. The VNF licensing agent is also programmed to transmit therequest for the first VNF to a VNF license manager, wherein the requestincludes payment information. The VNF licensing agent is furtherprogrammed to receive a copy of the first VNF from the VNF licensemanager. In addition, the VNF licensing agent is programmed to transmitthe copy of the first VNF to the NFV architecture, wherein the NFVarchitecture is configured to execute one or more instantiations of thefirst VNF.

In an embodiment, a method for secure management of licensing anddistributing virtual network functions (VNF) is provided. The method isimplemented by at least one processor in communication with at least onememory device. The method includes receiving a request for access to afirst VNF from a virtual network. The virtual network is configured toexecute the first VNF. The method also includes determining if thevirtual network may access the first VNF based on one or more policiesof a plurality of policies associated with the first VNF. If the virtualnetwork may access the first VNF, the method includes retrieving thefirst VNF from a VNF repository and transmitting the first VNF to thevirtual network.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features, aspects, and advantages of the presentdisclosure will become better understood when the following detaileddescription is read with reference to the accompanying drawings in whichlike characters represent like parts throughout the drawings, wherein:

FIG. 1 is a schematic illustration of an exemplary computer network foran NFV architecture, in accordance with an embodiment of the disclosure.

FIG. 2 is a schematic illustration of the NFV infrastructure shown inFIG. 1 .

FIG. 3 is a schematic illustration of a VNF Licensing Architecture, inaccordance with an embodiment of the disclosure.

Unless otherwise indicated, the drawings provided herein are meant toillustrate features of embodiments of this disclosure. These featuresare believed to be applicable in a wide variety of systems including oneor more embodiments of this disclosure. As such, the drawings are notmeant to include all conventional features known by those of ordinaryskill in the art to be required for the practice of the embodimentsdisclosed herein.

DETAILED DESCRIPTION

In the following specification and claims, reference will be made to anumber of terms, which shall be defined to have the following meanings.

The singular forms “a,” “an,” and “the” include plural references unlessthe context clearly dictates otherwise.

“Optional” or “optionally” means that the subsequently described eventor circumstance may or may not occur, and that the description includesinstances where the event occurs and instances where it does not.

Approximating language, as used herein throughout the specification andclaims, may be applied to modify any quantitative representation thatcould permissibly vary without resulting in a change in the basicfunction to which it is related. Accordingly, a value modified by a termor terms, such as “about,” “approximately,” and “substantially,” are notto be limited to the precise value specified. In at least someinstances, the approximating language may correspond to the precision ofan instrument for measuring the value. Here and throughout thespecification and claims, range limitations may be combined and/orinterchanged; such ranges are identified and include all the sub-rangescontained therein unless context or language indicates otherwise.

As used herein, the terms “processor” and “computer” and related terms,e.g., “processing device”, “computing device”, and “controller” are notlimited to just those integrated circuits referred to in the art as acomputer, but broadly refers to a microcontroller, a microcomputer, aprogrammable logic controller (PLC), an application specific integratedcircuit (ASIC), and other programmable circuits, and these terms areused interchangeably herein. In the embodiments described herein, memorymay include, but is not limited to, a computer-readable medium, such asa random access memory (RAM), and a computer-readable non-volatilemedium, such as flash memory. Alternatively, a floppy disk, a compactdisc—read only memory (CD-ROM), a magneto-optical disk (MOD), and/or adigital versatile disc (DVD) may also be used. Also, in the embodimentsdescribed herein, additional input channels may be, but are not limitedto, computer peripherals associated with an operator interface such as amouse and a keyboard. Alternatively, other computer peripherals may alsobe used that may include, for example, but not be limited to, a scanner.Furthermore, in the exemplary embodiment, additional output channels mayinclude, but not be limited to, an operator interface monitor.

Further, as used herein, the terms “software” and “firmware” areinterchangeable, and include any computer program storage in memory forexecution by personal computers, workstations, clients, and servers.

As used herein, the term “non-transitory computer-readable media” isintended to be representative of any tangible computer-based deviceimplemented in any method or technology for short-term and long-termstorage of information, such as, computer-readable instructions, datastructures, program modules and sub-modules, or other data in anydevice. Therefore, the methods described herein may be encoded asexecutable instructions embodied in a tangible, non-transitory, computerreadable medium, including, without limitation, a storage device and amemory device. Such instructions, when executed by a processor, causethe processor to perform at least a portion of the methods describedherein. Moreover, as used herein, the term “non-transitorycomputer-readable media” includes all tangible, computer-readable media,including, without limitation, non-transitory computer storage devices,including, without limitation, volatile and nonvolatile media, andremovable and non-removable media such as a firmware, physical andvirtual storage, CD-ROMs, DVDs, and any other digital source such as anetwork or the Internet, as well as yet to be developed digital means,with the sole exception being a transitory, propagating signal.

The embodiments described herein provide innovative systems and methodsfor computer networks within NFV environments. The present embodimentsintroduce, among other solutions, techniques for communication betweenvirtual network functions (VNF), virtual network function managers(VNFM), operations support systems/business support systems (OSS/BSS),and VNF vendors that sell and/or licenses access to one of more VNFs toensure secure and efficient communication. The present embodiments areadvantageously applicable in the ETSI NFV Management and Orchestration(MANO) environment and architecture.

Network Functions Virtualization (NFV) adds new capabilities tocommunications networks and requires a new set of management andorchestration functions to be added to the current model of operations,administration, maintenance and provisioning. In legacy networks,Network Function (NF) implementations are often tightly coupled with theinfrastructure they run on. NFV decouples software implementations ofNetwork Functions from the computation, storage, and networkingresources they use. The virtualization insulates the Network Functionsfrom those resources through a virtualization layer.

The decoupling exposes a new set of entities, the Virtualized NetworkFunctions (VNFs), and a new set of relationships between them and theNFV Infrastructure (NFVI). VNFs can be chained with other VNFs and/orPhysical Network Functions (PNFs) to realize a Network Service (NS).

The management and orchestration of virtualized resources are leveragedfor providing VNFs with the resources they need. Resource allocation inthe NFVI is a potentially complex task as a lot of requirements andconstraints may need to be met simultaneously. Particularly requirementsfor network allocation add complexity compared to known resourceallocation strategies for computing resources in virtualizedenvironments. For example, some VNFs require low latency or highbandwidth links to other communication endpoints.

The systems and methods disclosed herein describe specific connectionsbetween the VNFs and the virtual network function manager (VNFM) to (i)improve security, (ii) increase efficiency, and (iii) ensure properdistribution. More specifically, the systems and methods describe a VNFlicense manager for controlling access to licensed VNFs. The VNF licensemanager supports standardized Application Programming Interface (API)transactions for dynamic license management. The VNF license managermoves distribution of VNFs and enforcement of VNF contracts to acentralized location. This allows the individual multiple systemoperators (MSO) and system operators to use standardized calls to accessVNFs. This also allows for a standardized interface to handle differenttypes of VNFs. In this manner the VNF license manager interfaces witheach of the individual VNF vendors and provides a standardized interfaceto the MSOs and system operators. Therefore, the VNF license manager mayact more like an app store for VNFs and reduce the amount of actionsrequired on the part of the VNF consumer.

As the supply chain for VNFs becomes more complex, different VNFproviders and users will attempt to implement different commerciallicensing schemes. The systems described herein provide new networkoperations functionality to provide dynamic license management. Thisallows the NFV Infrastructure to support standardized API-basedtransactions for dynamic license management.

FIG. 1 is a schematic illustration of an exemplary computer network 100for an NFV architecture 102. NFV architecture 102 represents, forexample, a system according to the ETSI NFV Management and Operations(MANO) specification, and includes an NFV orchestrator (NFVO) 104, an NScatalog 106, a virtual network functions (VNF) catalog 108, NFVinstances 110, NFVI resources 112, a VNF manager (VNFM) 114, and avirtualized infrastructure manager (VIM) 116.

In an exemplary embodiment, network 100 includes an operations supportsystems/business support systems (OSS/BSS) functional block 120 for andin communication with the NFV architecture 102. Network 100 alsoincludes element managers (EM) 124, virtual network functions 126, andnetwork functions virtualization infrastructure (NFVI) 128.

NFV orchestrator 104 orchestrates the NFVI resources across multipleVIMs 116 and manages the lifecycle of network services. NS Catalogue 106represents the repository of all on-boarded Network Services andsupports the creation and management of the network services deployabletemplates. VNF Catalogue 108 represents the repository of all of theon-boarded VNF packages and supports the creation and management of theVNF packages. NFV Instances 110 repository holds information of all VNFinstances 126 and network service instances. Each VNF instance 126 isrepresented by a VNF record and each ES instance is represented by an ESrecord. These records are updated during the lifecycle of respectiveinstances. NFVI Resources 112 repository holds information aboutavailable, reserved, and allocated NFVI resources as abstracted by VIM116 across the operator's Infrastructure Domains.

VNFM 114 is responsible for the lifecycle management of VNF 126instances. In some embodiments, VNFM 114 is assigned the management of asingle VNF 126 instance. In the exemplary embodiment, VNFM 114 isassigned the management of a plurality of VNF 126 instances, of the sametype or of different types. In some embodiments, VNFM 114 functions maybe generic common functions applicable to any type of VNF 126. In otherembodiments, some VNF 126 instances require specific functionalityassociated with their individual lifecycle. This functionality may bespecified in the individual VNF's package.

In the exemplary embodiment, VNFM 114 performs multiple functions foreach VNF 126 associated with it. These functions may include, but arenot limited to, VNF instantiation (including VNF configuration), VNFinstantiation feasibility checking, VNF instance software updates andupgrades, VNF instance modification, VNF instance scaling, VNFinstance-related collection of NFVI performance measurement results, VNFinstance healing, VNF instance termination, VNF lifecycle managementchange notification, management of the integrity of the VNF instancethroughout its lifecycle, and the overall coordination and adaption rolefor configuration and event reporting between VIM 116 and EM 124.

VIM 116 is responsible for controlling NFVI 128 resources. OSS/BSS 120are a combination of the operator's other operations and businesssupport functions that are not explicitly captures by NFV 102. EM 124 isresponsible for the FCAPS management functionality of a VNF 126. FCAPSstands for “Fault Management, Configuration Management, AccountingManagement, Performance Management, and Security Management.” EM 124performs functions such as, but not limited to, configuration for thenetwork functions provided by VNF 126, fault management for the networkfunctions provided by VNF 126, accounting for the usage of the VNFfunctions, collecting performance measurement results for the functionsprovided by VNF 126, and security management for the VNF functions. Insome embodiments, EM 124 collaborates with VNFM 114 to perform thosefunctions that require exchanges of information regarding the NFVIresources associated with VNF 126. NFVI 128 encompasses the hardware andsoftware components that provided the infrastructure resources whereVNFs 126 are deployed.

FIG. 2 is a schematic illustration of an NFVI 200. In an exemplaryembodiment, NFVI 200 is similar to NFVI 128 (shown in FIG. 1 ). In theexemplary embodiment, NFVI 200 describes the hardware and softwarecomponents on which the virtual networks are built.

NFVI 200 virtualizes network services rather than operating them onproprietary dedicated hardware. NFVI 200 treats hardware resources 202as commodity hardware that runs software to accomplish functions such asrouting, and firewalls. NFVI 200 executes a virtualization layer 204where computing hardware 206, storage hardware 208, and network hardware210 are used to perform virtual computing 212, virtual storage 214, andvirtual networks 216. NFVI 200 acts as an interface between hardwareresources 202 and VNFs 126 (shown in FIG. 1 ) that are desired to beexecuted.

FIG. 3 is a schematic illustration of a VNF Licensing Architecture 300,in accordance with an embodiment of the disclosure. In the exemplaryembodiment, VNF Licensing Architecture 300 acts as an interface betweenVNF vendors and NFV architecture 102 (shown in FIG. 1 ) for a multiplesystem operator (MSO), such as a cable operator.

In the exemplary embodiment, VNF License Manager 302 is in communicationwith an MSO Operations and Business support systems 304, and with aplurality of vendors 306, such as Vendor A, B, & C. Each vendor 306provides one or more VNFs 126. VNF License Manager 302 interacts withindividual vendors 306 to provide access to their VNFs 126 to NFVarchitecture 102 associated with the individual MSOs. VNF LicenseManager 302 stores images of individual VNFs 126 in a VNF repository308, and stores the policies associated with each VNF 126 andcorresponding vendor 306 in a VNF license policies database 310. VNFrepository 308 acts as an app store for individual VNFs 126, where anMSO or NFV architecture 102 may request a copy of a particular VNF 126stored in VNF repository 308. In the exemplary embodiment, VNF LicenseManager 302 receives updates to VNFs 126 and stores those updated VNFs126 in VNF repository 308. Furthermore, VNF License Manager 302 mayprovide the updated VNFs 126 to those NFV architectures 102 that arecurrently using or licensing to use the updated VNF 126.

In the exemplary embodiment, VNF License Manager 302 interfaces with theMSO or NFV architecture 102 through MSO Operations and Business supportsystems 304, which may be similar to OSS/BSS functional block 120 (shownin FIG. 1 ). In the exemplary embodiment, MSO Operations and Businesssupport systems 304 includes a VNF licensing agent 314, which acts as aninterface between VNF License Manager 302 and NFV architectures 102.

In the exemplary embodiment, VNF licensing agent 314 requests access toa particular VNF 126 from VNF License Manager 302. VNF License Manager302 provides VNF licensing agent 314 with access to a copy of VNF 126from VNF repository 308. VNF licensing agent 314 provides VNF LicenseManager 302 with payment for access to VNF 126. VNF License Manager 302routes the payment to a particular vendor 306 associated with VNF 126.In some embodiments, VNF License Manager 302 keeps a portion of thepayment as a management fee.

In the exemplary embodiment, VNF licensing agent 314 also provides VNFLicense Manager 302 with information about the usage of VNF 126 by itsNFV architectures 102. VNF License Manager 302 compares the usageinformation with the policy for VNF 126 from VNF license policiesdatabase 310. VNF License Manager 302 determines if there is a violationof the policies and then determines if VNF licensing agent 314 maycontinue to access VNF 126.

In some embodiments, the communications between VNF License Manager 302and VNF licensing agent 314 may be viewed and stored by a blockchainledger 318. For example, the blockchain ledger 318 may keep track of thepayments, usage information, and other provided information, whichallows for an immutable set of records for VNF 126. In some embodiments,blockchain ledger 318 may be accessible by one or more of VNF LicenseManager 302, VNF licensing agent 314, and a particular vendor 306associated with that VNF 126. In some embodiments, there is a singleledger for each vendor 306. In other embodiments, there is a ledger foreach VNF 126. In still other embodiments, multiple VNFs 126 frommultiple vendors 306 may be monitored in a single ledger 318, and eachindividual vendor 306 may only have access to those records associatedwith their own VNFs 126.

In the exemplary embodiments, VNF license manager 302, andcommunications with VNF licensing agent 314, are protected using apublic key infrastructure (PKI) 312. In some further embodiments, VNFrepository 308 and VNF license policy database 310 are also protected byPM 312.

The above system allows for the separation of the software cycle offunctionality from the hardware cycle. In the exemplary embodiment,racks of servers may be running thousands of VNFs. According to theadvantageous embodiments described herein, the software lifecycle may becompletely decoupled from the hardware lifecycle as NFVI 128 providesthe interface between hardware resources 202 and VNFs 126. By theseinnovative techniques, many different vendors 306 will be potentiallyenabled to provide VNFs 126, which is significantly advantageous forsmaller vendors. This advantageous separation of software cycles fromhardware cycles further enables users to dynamically change software tomeet new service needs without having to upgrade the associatedhardware.

The systems described herein allow for management of the diversity oflicensing management mechanism that exists across multiple VNF vendors306. VNF License Manager 302 may provide the interface to multiple VNFvendors 306 and handle the variety of different interfaces through asingle manager, thus removing that requirement from NFV architecture102. Furthermore VNF License Manager 302 may handle the updates to VNFs126, which allows VNF License Manager 302 to provide the latest versionof VNF 126 to the interested VNF architecture 102. More complication anddiversity in vendors 306 makes provisioning and license renewal a morecomplex, error-prone, and time-consuming process. The complication anddiversity also inhibits automation and may potentially lead to serviceoutages. Thus the goal of this system is to provide interoperability forautomated license management transaction between service providers andvendors.

The systems described herein allow all VNFs 126 to use the samelicensing methods, mechanisms, and protocols by communicating with asingle point, VNF License Manager 302. VNF License Manager 302 providesa consistent interface for VNF vendors 306. The systems describedherein, through VNF License Manager 302, provide a fully automatedlicense management process requiring no manual intervention. VNF LicenseManager 302 is also scalable to handle a large number of VNF instances.

In some embodiments, VNF License Manager 302 prevents service outagesdue to administrative errors by defaulting VNFs to running and beingactive. VNF License Manager 302 may also support multiple different VNFlicensing models, such as, but not limited to, periodic billing, usagebilling, and one-time payment. VNF License Manager 302 may also keep theaccounting of the usage of the VNF separate from the billing.Furthermore, the usage data could be authenticated and auditable, suchas through the use of one or more blockchain ledgers 318.

In the exemplary embodiment, system 300 is implemented for securemanagement of licensing and distributing virtual network functions(VNF). System 300 includes VNF license manager 302, VNF repository 308for storing a plurality of VNFs including a first VNF 126, and VNFlicense database 310 for storing a plurality of polices associated withthe plurality of VNFs. VNF license manager 302 is in communication withVNF repository 308 and VNF license database 310.

In the exemplary embodiment, VNF license manager 302 is programmed toreceive a request for access to the first VNF 126 from a virtualnetwork, such as NFV architecture 102. The virtual network is configuredto execute the first VNF 126. In the exemplary embodiment, the requestmay be received from VNF licensing agent 314. VNF license manager 302determines if the virtual network may access the first VNF 126 based onone or more policies of the plurality of policies associated with thefirst VNF 126. If the virtual network may access the first VNF 126, VNFlicense manager 302 retrieves the first VNF 126 from VNF repository 308and transmits the first VNF 126 to the virtual network.

In some embodiments, VNF license manager 302 receives usage informationabout the virtual network and the first VNF 126. VNF license manager 302analyzes the usage information in view of the one or more policiesassociated with the first VNF 126. VNF license manager 302 transmits amessage indicating that the first VNF 126 is no longer usable by thevirtual network based on the usage information. In some embodiments, VNFlicense manager 302 calculates billing information based on the analysisof the usage information.

In some further embodiments, VNF license manager 302 receives an updatedversion of the first VNF 126 from a computer device of vendor 306. VNFlicense manager 302 stores the updated version of the first VNF 126 inVNF repository 308. VNF license manager 302 transmits the updatedversion of the first VNF 126 to the virtual network.

In some other embodiments, in the case where system 300 also includesblockchain ledger 318, VNF license manager 302 may be configured tostore a plurality of communications with the virtual network inblockchain ledger 318.

In some embodiments, VNF license manager 302 transmits a copy of the oneor more policies associated with the first VNF 126 to the virtualnetwork. VNF license manager 302 then receives acknowledgement ofreceipt of the one or more policies by the virtual network. VNF licensemanager 302 transmits the first VNF 126 to the virtual network uponreceipt of the acknowledgement.

In the exemplary embodiment, in the case where system 300 also includesVNF licensing agent 314, VNF licensing agent 314 may be in communicationwith at least one NFV architecture 102. VNF licensing agent 314 receivesfrom NFV architecture 102 a request for a first VNF 126. VNF licensingagent 314 transmits the request for the first VNF 126 to VNF licensemanager 302. In some embodiments, the request includes paymentinformation. VNF licensing agent 314 receives a copy of the first VNF126 from VNF license manager 302. VNF licensing agent 314 transmits thecopy of the first VNF 126 to NFV architecture 102. NFV architecture 102is configured to execute one or more instantiations of the first VNF126.

In some embodiments, VNF licensing agent 314 receives usage informationassociated with the first VNF 126 from NFV architecture 102. VNFlicensing agent 314 transmits the usage information to VNF licensemanager 302.

In some embodiments, VNF licensing agent 314 receives a request toaccess the first VNF 126 from a second NFV architecture 102. VNFlicensing agent 314 transmits the copy of the first VNF 126 to thesecond NFV architecture 102. The second NFV architecture 102 isconfigured to execute one or more instantiations of the first VNF 126.

In some further embodiments, the VNF licensing agent 314 receives anupdated copy of the first VNF 126 from VNF license manager 302. VNFlicensing agent 314 transmits the updated copy of the first VNF 126 tothe first NFV architecture 102 and the second NFV architecture 102. Thefirst NFV architecture 102 and the second NFV architecture 102 areconfigured to halt execution of the instantiations of the first VNF 126and execute instantiations of the updated VNF 126.

In still further embodiments, VNF licensing agent 314 receives policyinformation associated with the first VNF 126 from VNF license manager302. VNF licensing agent 314 stores the policy information associatedwith the first VNF 126. VNF licensing agent 314 transmits anacknowledgement of the policy information to VNF license manager 302.

In some embodiments, VNF licensing agent 314 receives a messageindicating that the first VNF 126 is no longer usable. VNF licensingagent 314 transmits the message indicating that the first VNF 126 is nolonger usable to NFV architecture 102. In this case, NFV architecture102 may be configured to halt execution of instantiations of the firstVNF 126.

As the supply chain for VNFs becomes more complex, different VNFproviders and users will attempt to implement different commerciallicensing schemes. The systems described herein provide new networkoperations functionality to provide dynamic license management, whichadvantageously allows the NFVI to support standardized API-basedtransactions for dynamic license management.

According to the several embodiments described herein, separatemanagement infrastructure and hosted infrastructure in an NFVenvironment may be centrally implemented in a variety of differenttechnological environments, and without requiring any structural (i.e.,hardware) changes to the computer networks of such technologicalenvironments. The present embodiments therefore provide significantadvantages over computer network environments with combined orintertwined infrastructures.

Exemplary embodiments of systems and methods for separate managementinfrastructure and hosted infrastructure in an NFV environment aredescribed above in detail. The systems and methods of this disclosurethough, are not limited to only the specific embodiments describedherein, but rather, the components and/or steps of their implementationmay be utilized independently and separately from other componentsand/or steps described herein.

Although specific features of various embodiments of the disclosure maybe shown in some drawings and not in others, this convention is forconvenience purposes and ease of description only. In accordance withthe principles of the disclosure, a particular feature shown in adrawing may be referenced and/or claimed in combination with features ofthe other drawings. For example, the following list of example claimsrepresents only some of the potential combinations of elements possiblefrom the systems and methods described herein.

The computer-implemented methods discussed herein may includeadditional, less, or alternate actions, including those discussedelsewhere herein. The methods may be implemented via one or more localor remote processors, transceivers, and/or sensors (such as processors,transceivers, and/or sensors mounted on vehicles or mobile devices, orassociated with smart infrastructure or remote servers), and/or viacomputer-executable instructions stored on non-transitorycomputer-readable media or medium.

Additionally, the computer systems discussed herein may includeadditional, less, or alternate functionality, including that discussedelsewhere herein. The computer systems discussed herein may include orbe implemented via computer-executable instructions stored onnon-transitory computer-readable media or medium.

The improvements described herein may be achieved by performing one ormore of the following steps: (a) receive a request for access to thefirst VNF from a virtual network, wherein the virtual network isconfigured to execute the first VNF; (b) determine if the virtualnetwork may access the first VNF based on one or more policies of theplurality of policies associated with the first VNF; (c) if the virtualnetwork may access the first VNF, retrieve the first VNF from the VNFrepository and transmit the first VNF to the virtual network; (d)receive usage information about the virtual network and the first VNF;(e) analyze the usage information in view of the one or more policiesassociated with the first VNF; (f) transmit a message indicating thatthe first VNF is no longer usable by the virtual network based on theusage information; (g) calculate billing information based on theanalysis of the usage information; (f) receive an updated version of thefirst VNF from a vendor computer device; (g) store the updated versionof the first VNF in the VNF repository; (h) transmit the updated versionof the first VNF to the virtual network; (i) store a plurality ofcommunications with the virtual network in a blockchain ledger; (j)transmit a copy of the one or more policies associated with the firstVNF to the virtual network; (k) receive acknowledgement of receipt ofthe one or more policies by the virtual network; and (l) transmit thefirst VNF to the virtual network upon receipt of the acknowledgement.

The improvement may also be achieved by performing one or more of thefollowing steps: (a) receive from the NFV architecture a request for afirst VNF; (b) transmit the request for the first VNF to a VNF licensemanager, wherein the request includes payment information; (c) receive acopy of the first VNF from the VNF license manager; (d) transmit thecopy of the first VNF to the NFV architecture, wherein the NFVarchitecture is configured to execute one or more instantiations of thefirst VNF; (e) receive usage information associated with the first VNFfrom the NFV architecture; (f) transmit the usage information to the VNFlicense manager; (g) receive a request to access the first VNF from asecond NFV architecture; (h) transmit the copy of the first VNF to thesecond NFV architecture, wherein the second NFV architecture isconfigured to execute one or more instantiations of the first VNF; (i)receive an updated copy of the first VNF from the VNF license manager;(j) transmit the updated copy of the first VNF to the NFV architectureand the second NFV architecture, wherein the NFV architecture and thesecond NFV architecture are configured to halt execution of theinstantiations of the first VNF and execute instantiations of theupdated VNF; (k) receive policy information associated with the firstVNF from the VNF license manager; (l) store the policy informationassociated with the first VNF; (m) transmit an acknowledgement of thepolicy information to the VNF license manager; (n) receive a messageindicating that the first VNF is no longer usable; and (o) transmit themessage indicating that the first VNF is no longer usable to the NFVarchitecture, wherein the NFV architecture is configured to haltexecution of instantiations of the first VNF.

The aspects described herein may be implemented as part of one or morecomputer components such as a client device and/or one or more back-endcomponents, such as a host device, for example. Furthermore, the aspectsdescribed herein may be implemented as part of a computer networkarchitecture and/or a cognitive computing architecture that facilitatescommunications between various other devices and/or components. Thus,the aspects described herein address and solve issues of a technicalnature that are necessarily rooted in computer technology.

For instance, aspects include routing communications between separatenetworks to ensure security, distribution, and management of VNFs thatmay be provided by third-party vendors. In doing so, the aspectsovercome issues associated with having to have individual virtualnetworks deal with a plurality of different interfaces for a pluralityof different vendors of VNFs. Furthermore, these aspects reduce thechance of data compromise and allow for proper access to the VNFs inaccordance with their policies. Without the improvements suggestedherein, additional processing and memory usage, or even direct humanintervention, would be required to perform such activities. Additionaltechnical advantages include, but are not limited to: i) improved speedand responsiveness in providing and updating VNFs; ii) improvedmonitoring for compliance with policies; iii) allowing the virtualnetwork function infrastructure to interface with new VNF vendorswithout requiring specialized interfaces; iv) reducing the chance ofmalicious communications and VNFs; v) allowing for protected two-waycommunication between the vendor and the user; and vi) preventing theVNFIs from having direct access to the vendors. Additional technicaladvantages are described in other sections of the specification.

Furthermore, the embodiments described herein improve upon existingtechnologies, and improve the functionality of computers, by moreaccurately predict or identify the current security status of anyconnected device. The present embodiments improve the speed, efficiency,and accuracy in which such calculations and processor analysis may beperformed. Due to these improvements, the aspects addresscomputer-related issues regarding efficiency over conventionaltechniques. Thus, the aspects also address computer related issues thatare related to computer security, for example.

Accordingly, the innovative systems and methods described herein are ofparticular value within the realm of virtual network functions, whichhave been historically associated with a poor record of securingcommunications and data. The present embodiments enable more reliableupdating and control of such functions, but without compromising dataand communications. Furthermore, according to the disclosed techniques,the monitoring and updating of virtual network functions in greatlyimproved to improve the security, distribution, and support of thesefunctions, the associated computer devices, and the associated computernetworks.

Exemplary embodiments of systems and methods for separating licensemanagement entities from the hosted infrastructure are described abovein detail. The systems and methods of this disclosure though, are notlimited to only the specific embodiments described herein, but rather,the components and/or steps of their implementation may be utilizedindependently and separately from other components and/or stepsdescribed herein.

Although specific features of various embodiments may be shown in somedrawings and not in others, this is for convenience only. In accordancewith the principles of the systems and methods described herein, anyfeature of a drawing may be referenced or claimed in combination withany feature of any other drawing.

Some embodiments involve the use of one or more electronic or computingdevices. Such devices typically include a processor, processing device,or controller, such as a general purpose central processing unit (CPU),a graphics processing unit (GPU), a microcontroller, a reducedinstruction set computer (RISC) processor, an application specificintegrated circuit (ASIC), a programmable logic circuit (PLC), aprogrammable logic unit (PLU), a field programmable gate array (FPGA), adigital signal processing (DSP) device, and/or any other circuit orprocessing device capable of executing the functions described herein.The methods described herein may be encoded as executable instructionsembodied in a computer readable medium, including, without limitation, astorage device and/or a memory device. Such instructions, when executedby a processing device, cause the processing device to perform at leasta portion of the methods described herein. The above examples areexemplary only, and thus are not intended to limit in any way thedefinition and/or meaning of the term processor and processing device.

This written description uses examples to disclose the embodiments,including the best mode, and also to enable any person skilled in theart to practice the embodiments, including making and using any devicesor systems and performing any incorporated methods. The patentable scopeof the disclosure is defined by the claims, and may include otherexamples that occur to those skilled in the art. Such other examples areintended to be within the scope of the claims if they have structuralelements that do not differ from the literal language of the claims, orif they include equivalent structural elements with insubstantialdifferences from the literal language of the claims.

What is claimed is:
 1. A computer-implemented system for securemanagement, licensing, and distribution of a plurality of entities overa virtualized networking environment, comprising: an entity licensemanager; an entity license database in communication with the entitylicense manager, and configured for storing a plurality of policesassociated with the plurality of entities; a processor; and a memoryhaving computer-executable instructions encoded therein, which, whenexecuted by the processor, cause the entity license manager to: receivea request for access to a first entity of the plurality of entities froma virtual network of the virtualized networking environment, wherein thevirtual network is configured to execute an instantiation of the firstentity; determine if the virtual network may access the first entitybased on one or more policies of the plurality of policies associatedwith the first entity, wherein, if the virtual network may access thefirst entity, and transmit the first entity to the virtual network;transmit a copy of the one or more policies associated with the firstentity to the virtual network; receive acknowledgement of receipt of theone or more policies by the virtual network; and transmit the firstentity to the virtual network upon receipt of the acknowledgement. 2.The system of claim 1, wherein the instructions further cause the entitylicense manager to: receive usage information about the virtual networkand the first entity; and analyze the usage information in view of theone or more policies associated with the first entity.
 3. The system ofclaim 2, wherein the instructions further cause the entity licensemanager to transmit a message indicating that the first entity is nolonger usable by the virtual network based on the usage information. 4.The system of claim 2, wherein the instructions further cause the entitylicense manager to calculate billing information based on the analysisof the usage information.
 5. The system of claim 1, further comprisingan entity repository (i) for storing the plurality of the entitiesincluding the first entity, and (ii) in communication with the entitylicense manager.
 6. The system of claim 5, wherein the instructionsfurther cause the entity license manager to retrieve the first entityfrom the entity repository prior to transmitting the first entity to thevirtual network.
 7. The system of claim 5, wherein the instructionsfurther cause the entity license manager to: receive an updated versionof the first entity from a vendor computer device; store the updatedversion of the first entity in the entity repository; and transmit theupdated version of the first entity to the virtual network.
 8. Thesystem of claim 1, further comprising a blockchain ledger, and whereinthe instructions further cause the entity license manager to store aplurality of communications with the virtual network in the blockchainledger.
 9. The system of claim 1, wherein the plurality of entitiesincludes at least one virtual network function, and wherein thevirtualized networking environment includes a management andorchestration architecture.
 10. The system of claim 1, wherein theinstructions further cause the entity license manager to: receive amessage indicating that the first entity is no longer usable; andtransmit the message indicating that the first entity is no longerusable to the virtualized networking environment, wherein thevirtualized networking environment is configured to halt execution ofinstantiations of the first entity.
 11. A computer-implementedoperations support system including an entity licensing agent incommunication with a first virtualized networking environment, thesystem comprising: a processor; and a memory having computer-executableinstructions encoded therein, which, when executed by the processor,cause the entity licensing agent to: receive, from the first virtualizednetworking environment, a request for a first entity; transmit therequest for the first entity to an entity license manager, wherein therequest includes payment information; receive a copy of the first entityfrom the entity license manager; transmit the copy of the first entityto the first virtualized networking environment, wherein the firstvirtualized networking environment is configured to execute one or moreinstantiations of the first entity; receive policy informationassociated with the first entity from the entity license manager; storethe policy information associated with the first entity; and transmit anacknowledgement of the policy information to the entity license manager.12. The system in accordance with claim 11, wherein the instructionsfurther cause the entity licensing agent to: receive usage informationassociated with the first entity from the first virtualized networkingenvironment; and transmit the usage information to the entity licensemanager.
 13. The system in accordance with claim 11, wherein theinstructions further cause the entity licensing agent to: receive arequest to access the first entity from a second virtualized networkingenvironment different from the first virtualized networking environment;and transmit the copy of the first entity to the second virtualizednetworking environment, wherein the second virtualized networkingenvironment is configured to execute one or more instantiations of thefirst entity.
 14. The system in accordance with claim 13, wherein theinstructions further cause the entity licensing agent to: receive anupdated copy of the first entity from the entity license manager;transmit the updated copy of the first entity to the first virtualizednetworking environment and to the second virtualized networkingenvironment, wherein the first and second virtualized networkingenvironments are both further configured to (i) halt execution ofinstantiations of the first entity, and (ii) execute instantiations ofthe updated copy of the first entity.
 15. A method for securemanagement, licensing, and distribution of entities, the methodimplemented by at least one processor in communication with at least onememory device, the method comprising steps of: receiving a request foraccess to a first entity of the entities from a virtual network, whereinthe virtual network is configured to execute an instantiation of thefirst entity; determining if the virtual network may access the firstentity based on one or more policies of a plurality of policiesassociated with the first entity, wherein, if the virtual network mayaccess the first entity, the processor is configured to retrieve thefirst entity from an entity repository; transmitting a copy of the oneor more policies associated with the first entity to the virtualnetwork; receiving acknowledgement of receipt of the one or morepolicies by the virtual network; and transmitting the retrieved firstentity to the virtual network upon receipt of the acknowledgement. 16.The method of claim 15, further comprising: receiving usage informationabout the virtual network and the first entity; and analyzing the usageinformation in view of the one or more policies associated with thefirst entity.
 17. The method of claim 16, further comprisingtransmitting a message indicating that the first entity is no longerusable by the virtual network based on the usage information.
 18. Themethod of claim 16, further comprising calculating billing informationbased on the analysis of the usage information.
 19. The method of claim15, further comprising: receiving an updated version of the first entityfrom a vendor computer device; storing the updated version of the firstentity in the entity repository; and transmitting the updated version ofthe first entity to the virtual network.
 20. The method of claim 15,further comprising storing a plurality of communications with thevirtual network in a blockchain ledger.